Why do we need Origin?
As you probably know, there’s HTTP-header Referer
, that usually contains an url of the page which initiated a network request.
For instance, when fetching http://google.com
from http://javascript.info/some/url
, the headers look like this:
Accept: */*
Accept-Charset: utf-8
Accept-Encoding: gzip,deflate,sdch
Connection: keep-alive
Host: google.com
Origin: http://javascript.info
Referer: http://javascript.info/some/url
As you can see, both Referer
and Origin
are present.
The questions:
- Why
Origin
is needed, ifReferer
has even more information? - If it possible that there’s no
Referer
orOrigin
, or it’s incorrect?
We need Origin
, because sometimes Referer
is absent. For instance, when we fetch
HTTP-page from HTTPS (access less secure from more secure), then there’s no Referer
.
The Content Security Policy may forbid sending a Referer
.
As we’ll see, fetch
also has options that prevent sending the Referer
and even allow to change it (within the same site).
By specification, Referer
is an optional HTTP-header.
Exactly because Referer
is unreliable, Origin
was invented. The browser guarantees correct Origin
for cross-origin requests.